A much safer way to define secrets is to use kubectl . First, we create files containing the base64-encoded secret values similar to what we did in the preceding section, but this time we store the values in temporary files:
$ echo "sue-hunter" | base64 > username.txt
$ echo "123abc456def" | base64 > password.txt
Now we can use kubectl to create a secret from those files as follows:
$ kubectl create secret generic pets-secret-prod \
--from-file=./username.txt \
--from-file=./password.txt
secret "pets-secret-prod" created
The secret can then be used the same way as the manually-created secret.
Why is this method more secure than the other one you might ask? Well, first of all, there is no YAML that defines a secret and is stored in some source code version control system, such as GitHub, which many people have access to and so can see and decode the secrets. Only the admin person that is authorized to know the secrets ever sees their values and uses them to directly create the secrets in the (production) cluster. The cluster itself is protected by role-based access control so that no unauthorized people have access to it nor can they possibly decode the secrets defined in the cluster.
But now, let's see how we can actually use the secrets that we have defined.